Huge News!Announcing our $40M Series B led by Abstract Ventures.Learn More
Socket
Sign inDemoInstall
Socket

com.github.spotbugs:sonar-findbugs-plugin

Package Overview
Dependencies
Maintainers
2
Alerts
File Explorer

Advanced tools

Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

com.github.spotbugs:sonar-findbugs-plugin

SpotBugs is a program that uses static analysis to look for bugs in Java code. It can detect a variety of common coding mistakes, including thread synchronization problems, misuse of API methods.

  • 4.2.10
  • Source
  • Maven
  • Socket score

Version published
Maintainers
2
Source

SonarQube Spotbugs Plugin

.github/workflows/build.yml FindBugs Rules Coverage Status

Description / Features

This SonarQube plugin uses SpotBugs, fb-contrib and Find Security Bugs to provide coding rules.

Supported Languages

The plugin works by analysing the compiled .class files and reporting the issues in the corresponding source files. The currently supported JVM languages are:

  • Java
  • JSP (Java Server Pages)
  • Scala
  • Kotlin

Usage

In the quality profile, activate some rules from Spotbugs, fb-contrib or Find Security Bugs rule repositories and run an analysis on your project.

Configuration

This plugin can be configured with sonar web interface (see the General Settings/Languages/Java section) or with project properties.

Allow uncompiled code (sonar.findbugs.allowuncompiledcode): Remove the compiled code requirement for all projects. It can lead to a false sense of security if the build process skips certain projects. This option might be used to get around the One (sub)project contains Java source files that are not compiled error.

Confidence level (sonar.findbugs.confidenceLevel): Specifies the confidence threshold (previously called "priority") for reporting issues. If set to "low", confidence is not used to filter bugs. If set to "medium" (the default), low confidence issues are supressed. If set to "high", only high confidence bugs are reported.

Effort (sonar.findbugs.effort): Effort of the bug finders. Valid values are Min, Default and Max. Setting 'Max' increases precision but also increases memory consumption.

Excludes (sonar.findbugs.excludesFilters): Paths to findbugs filter-files with exclusions.

Timeout (sonar.findbugs.timeout): Specifies the amount of time, in milliseconds, that FindBugs may run before it is assumed to be hung and is terminated. The default is 600,000 milliseconds, which is ten minutes.

Only analyze (sonar.findbugs.onlyAnalyze): Restrict analysis to a comma-separated list of classes and packages. For large projects, this may greatly reduce the amount of time needed to run the analysis. (However, some detectors may produce inaccurate results if they aren’t run on the entire application.) Classes should be specified using their full classnames (including package), and packages should be specified in the same way they would in a Java import statement to import all classes in the package (i.e., add .* to the full name of the package). Replace .* with .- to also analyze all subpackages.

Analyze tests (sonar.findbugs.analyzeTests): Starting with version 4.2.3 AND when running SonarQube 9.8 and above, unit tests are analyzed by default. Use this option to enable/disable the analysis of tests. See the SonarQube documentation for the definition of test and non-test code.

Compiled code

FindBugs requires the compiled classes to run, if the project has JSP files they will need to be precompiled.

Make sure that you compile your source code with debug information on (to get the line numbers in the Java bytecode). Debug is usually on by default unless you're compiling with Ant, in which case, you will need to turn it on explicitly. If the debug information is not available, the issues raised by FindBugs will be displayed at the beginning of the file because the correct line numbers were not available.

Compatibility

Since version 3.0, the plugin embed FindBugs 3.0.0 which supports analysis of Java 8 bytecode but requires Java 1.7 to run (see Compatibility section). Please find below the compatibility matrix of the plugin. Versions 4.0.3 and below are not compatible with SonarQube 9.

Findbugs Plugin versionEmbedded SpotBugs/Findbugs versionEmbedded Findsecbugs versionEmbedded FB-Contrib versionMinimal Java versionSupported SonarQube versionMinimum sonar-java version
3.103.1.11 (SpotBugs)1.8.07.4.3sb1.87.6-8.95.10.1.16922
3.11.03.1.12 (SpotBugs)1.8.07.4.3sb1.87.6-8.95.10.1.16922
4.0.04.0.0 (SpotBugs)1.10.17.4.7 (sb-contrib)1.87.6-8.95.10.1.16922
4.0.14.1.2 (SpotBugs)1.10.17.4.7 (sb-contrib)1.87.9-8.95.10.1.16922
4.0.24.2.0 (SpotBugs)1.11.07.4.7 (sb-contrib)1.87.9-8.95.10.1.16922
4.0.34.2.0 (SpotBugs)1.11.07.4.7 (sb-contrib)1.87.9-8.95.10.1.16922
4.0.44.4.0 (SpotBugs)1.11.07.4.7 (sb-contrib)1.87.9~5.10.1.16922
4.0.54.5.0 (SpotBugs)1.11.07.4.7 (sb-contrib)1.87.9~5.10.1.16922
4.0.64.5.2 (SpotBugs)1.11.07.4.7 (sb-contrib)1.87.9~5.10.1.16922
4.1.44.6.0 (SpotBugs)1.12.07.4.7 (sb-contrib)1.87.9~5.10.1.16922
4.1.54.7.0 (SpotBugs)1.12.07.4.7 (sb-contrib)1.87.9~5.10.1.16922
4.1.64.7.0 (SpotBugs)1.12.07.4.7 (sb-contrib)1.87.9~5.10.1.16922
4.2.04.7.1 (SpotBugs)1.12.07.4.7 (sb-contrib)1.87.9~5.10.1.16922
4.2.14.7.2 (SpotBugs)1.12.07.4.7 (sb-contrib)1.87.9~5.10.1.16922
4.2.24.7.3 (SpotBugs)1.12.07.4.7 (sb-contrib)1.87.9~5.10.1.16922
4.2.34.7.3 (SpotBugs)1.12.07.4.7 (sb-contrib)1.87.9~5.10.1.16922
4.2.44.7.3 (SpotBugs)1.12.07.6.0 (sb-contrib)1.87.9~5.10.1.16922
4.2.54.8.1 (SpotBugs)1.12.07.6.0 (sb-contrib)1.87.9~5.10.1.16922
4.2.64.8.2 (SpotBugs)1.12.07.6.2 (sb-contrib)1.87.9~5.10.1.16922
4.2.74.8.3 (SpotBugs)1.12.07.6.4 (sb-contrib)1.87.9~5.10.1.16922
4.2.84.8.3 (SpotBugs)1.13.07.6.4 (sb-contrib)1.87.9~5.10.1.16922
4.2.94.8.4 (SpotBugs)1.13.07.6.4 (sb-contrib)1.87.9~5.10.1.16922
4.2.104.8.6 (SpotBugs)1.13.07.6.4 (sb-contrib)1.87.9~5.10.1.16922
4.3.04.8.6 (SpotBugs)1.13.07.6.4 (sb-contrib)179.9~8.0.1.36337
4.3.1-SNAPSHOT4.8.6 (SpotBugs)1.13.07.6.7 (sb-contrib)179.9~8.0.1.36337

FAQs

Package last updated on 31 Jul 2024

Did you know?

Socket

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install

Related posts

SocketSocket SOC 2 Logo

Product

  • Package Alerts
  • Integrations
  • Docs
  • Pricing
  • FAQ
  • Roadmap
  • Changelog

Packages

npm

Stay in touch

Get open source security insights delivered straight into your inbox.


  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc